IPSec will not connect (racoon: couldn't find configuration)



  • Hey, guys.

    I'm having a problem with my IPSec configuration.
    On one side, everything works out pretty nice.
    On the other side, racoon is making bad noises about not finding a correct configuration.

    "ERROR: couldn't find configuration."

    However, if I kill racoon, and run it in the foreground with debug output on, I get some more information.

    2008-07-16 16:06:27: DEBUG: ===
    2008-07-16 16:06:27: DEBUG: 100 bytes message received from <remote_ip>[57413] to <local_ip>[500]
    2008-07-16 16:06:27: DEBUG:
    ba9d946f 3cf4cf90 00000000 00000000 01100200 00000000 00000064 0d000034
    00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c04b0
    80010005 80030001 80020002 80040002 00000014 afcad713 68a1f1c9 6b8696fc
    77570100
    2008-07-16 16:06:27: DEBUG: no remote configuration found.
    2008-07-16 16:06:27: ERROR: couldn't find configuration.

    The configuration is pretty straight forward, generated by pfSense.

    cat racoon.conf

    path pre_shared_key "/var/etc/psk.txt";

    path certificate  "/var/etc";

    remote <remote_ip>{
          exchange_mode main;
          my_identifier address "<gw on="" correct="" vlan="">";

    peers_identifier address <remote_ip>;
          initial_contact on;
          support_proxy on;
          proposal_check obey;

    proposal {
                  encryption_algorithm 3des;
                  hash_algorithm sha1;
                  authentication_method pre_shared_key;
                  dh_group 2;
                  lifetime time 2400 secs;
          }
          lifetime time 2400 secs;
    }

    sainfo address <local_network>any address <remote_network>any {
          encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
          authentication_algorithm hmac_sha1,hmac_md5;
          compression_algorithm deflate;
          lifetime time 1200 secs;
    }

    Here is the weird thing; if I change that remote stanza to read

    remote anonymous {
    blah;
    }

    then everything works out nice, racoon even tells me it uses the anonymous stanza for that correct IP.

    2008-07-16 16:11:06: DEBUG: anonymous configuration selected for <remote_ip>.

    So, to me this seems really odd, how come racoon isn't picking up that stanza when configured like pfsense configures it ?
    Using the remote stanza is not what I really want, and either way I can't see a way to make pfsense generate one of those either.

    So, does anyone have any ideas on what is going on here ?
    Using tcpdump I can see that it is in fact my <remote_ip>that is coming through to racoon, on port 500/UDP.

    Thanks for a great product, by the way.</remote_ip></remote_ip></remote_network></local_network></remote_ip></gw></remote_ip></local_ip></remote_ip>


Log in to reply